From 933604fd8148ef48d17d8c6d981ea8eb8a879b32 Mon Sep 17 00:00:00 2001
From: Stan Hu <stanhu@gmail.com>
Date: Thu, 23 Jun 2022 11:54:52 -0700
Subject: [PATCH] Update oauth2 gem to v2.0.2

Bump the version to keep up with the latest security fixes, but we
also need this update for FIPS compliance, as this version drops the
use of MD5 from nonce generation.

Almost all the changes are backwards compatible, but there is a change
in v1.4.9 (https://github.com/oauth-xx/oauth2/pull/469) that breaks
the `omniauth-gitlab` integration. This will be worked around in
https://gitlab.com/gitlab-org/gitlab/-/merge_requests/90866.

The oauth2 gem normalized all parameters to strings in
https://github.com/oauth-xx/oauth2/pull/536. Update the test
to reflect that.

Parse errors are also no longer rescued due to
https://github.com/oauth-xx/oauth2/pull/576. Previously stubbing an
Array would work because the original body would be returned. To
accomodate this in our tests, call `to_json` on the stubbed output.

We can't remove the monkey patch mentioned in
https://gitlab.com/gitlab-org/gitlab/-/issues/340933 yet because we
need to make `omniauth-oauth2` rescue `OAuth2` exceptions that have now
been subclassed from Faraday exceptions.

The existing patch is compatible because:

1. https://github.com/oauth-xx/oauth2/pull/549 added handling of
`Faraday::ConnectionFailed` by raising `OAuth2::ConnectionError`, but
the latter is just a subclass of the former.

2. https://github.com/oauth-xx/oauth2/pull/604 added handling of
`Faraday::TimeoutError` by raising `OAuth2::TimeoutError`, but again
the latter is just a subclass of the former.

Diff: https://my.diffend.io/gems/oauth2/1.4.7/2.0.2
Changes: https://github.com/oauth-xx/oauth2/blob/master/CHANGELOG.md

Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/361284

Changelog: changed
---
 Gemfile                                              |  2 +-
 Gemfile.lock                                         | 12 ++++++++----
 spec/controllers/import/bitbucket_controller_spec.rb |  2 +-
 spec/lib/gitlab/gitlab_import/importer_spec.rb       |  4 ++--
 4 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/Gemfile b/Gemfile
index 8ca232fc1e624..368b186f2c8d5 100644
--- a/Gemfile
+++ b/Gemfile
@@ -466,7 +466,7 @@ gem 'benchmark-memory', '~> 0.1', require: false
 gem 'activerecord-explain-analyze', '~> 0.1', require: false
 
 # OAuth
-gem 'oauth2', '~> 1.4'
+gem 'oauth2', '~> 2.0'
 
 # Health check
 gem 'health_check', '~> 3.0'
diff --git a/Gemfile.lock b/Gemfile.lock
index 2c6a35fe072d5..809015f3ba538 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -815,12 +815,13 @@ GEM
       shellany (~> 0.0)
     numerizer (0.2.0)
     oauth (0.5.6)
-    oauth2 (1.4.7)
-      faraday (>= 0.8, < 2.0)
+    oauth2 (2.0.2)
+      faraday (>= 0.17.3, < 3.0)
       jwt (>= 1.0, < 3.0)
-      multi_json (~> 1.3)
       multi_xml (~> 0.5)
       rack (>= 1.2, < 3)
+      rash_alt (>= 0.4, < 1)
+      version_gem (~> 1.0)
     octokit (4.20.0)
       faraday (>= 0.9)
       sawyer (~> 0.8.0, >= 0.5.3)
@@ -1042,6 +1043,8 @@ GEM
     rainbow (3.1.1)
     rake (13.0.6)
     randexp (0.1.7)
+    rash_alt (0.4.12)
+      hashie (>= 3.4)
     rb-fsevent (0.10.4)
     rb-inotify (0.10.1)
       ffi (~> 1.0)
@@ -1400,6 +1403,7 @@ GEM
     validates_hostname (1.0.11)
       activerecord (>= 3.0)
       activesupport (>= 3.0)
+    version_gem (1.0.0)
     version_sorter (2.2.4)
     view_component (2.50.0)
       activesupport (>= 5.0.0, < 8.0)
@@ -1604,7 +1608,7 @@ DEPENDENCIES
   net-ldap (~> 0.16.3)
   net-ntp
   nokogiri (~> 1.13.6)
-  oauth2 (~> 1.4)
+  oauth2 (~> 2.0)
   octokit (~> 4.15)
   ohai (~> 16.10)
   oj (~> 3.10.6)
diff --git a/spec/controllers/import/bitbucket_controller_spec.rb b/spec/controllers/import/bitbucket_controller_spec.rb
index 8f11ab86efa8d..af220e2d5159a 100644
--- a/spec/controllers/import/bitbucket_controller_spec.rb
+++ b/spec/controllers/import/bitbucket_controller_spec.rb
@@ -65,7 +65,7 @@ def assign_session_tokens
           .with(hash_including(
                   'grant_type' => 'authorization_code',
                   'code' => code,
-                  redirect_uri: users_import_bitbucket_callback_url),
+                  'redirect_uri' => users_import_bitbucket_callback_url),
                 {})
           .and_return(access_token)
         stub_omniauth_provider('bitbucket')
diff --git a/spec/lib/gitlab/gitlab_import/importer_spec.rb b/spec/lib/gitlab/gitlab_import/importer_spec.rb
index eb4c404e45476..984c690add6c0 100644
--- a/spec/lib/gitlab/gitlab_import/importer_spec.rb
+++ b/spec/lib/gitlab/gitlab_import/importer_spec.rb
@@ -21,8 +21,8 @@
             'name' => 'John Doe'
           }
         }
-      ])
-      stub_request('issues/3/notes', [])
+      ].to_json)
+      stub_request('issues/3/notes', [].to_json)
     end
 
     it 'persists issues' do
-- 
GitLab